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recognised certificates of the Enhanced Competency Framework on 
Cybersecurity (ECF-C). 


The ECF-C sets out the competency standards for cybersecurity practitioners in 
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practitioners for meeting the Core Level of the ECF-C. Updates are shown in 
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1. Introduction 


1.1 Cybersecurity has become more important to the banking sector. According to 
research, in 2017, the global average annualised cost of cybercrimes amounted 
to HK$91.85 million (equivalent to US$11.7 million) per year.' The same 
research shows that the financial sector is experiencing the highest average 
annualised cost as compared with other industry segments in 2017. As internet 
and digital banking services have become more common, the modern bank is 
now under an unprecedented spectrum of attacks which are copious in numbers 
and sophisticated in complexity. To build the required resilience against these 
cyber threats, there is a need for banks to formulate new and dynamic system 


designs that will provide a rapid response to such attacks. 


12 In Hong Kong, the cyber security landscape has changed drastically over the 
last decade. Cyber threats in Hong Kong continue to rise in numbers: the Hong 
Kong Computer Emergency Response Team Coordination Centre (“HKCERT”) 
reported that there were 24,118 security events related to Hong Kong in the 
third quarter of 2018, representing a 183% increase in cyber-attacks year on 
year.” According to police statistics, financial losses due to cybercrime cases 


amounted to HK$2.3 billion in Hong Kong during 2016.° 


1.3 With respect to the banking sector in Hong Kong, the city is one of the most 
popular targets for banking malware attacks. The Hong Kong Institute of 


Bankers (“HKIB”) is quoted as stating that “the banking sector is 300% more 


likely to face cyber-attacks than any other sector”.” In light of the heightened 


cyber risk in the banking sector, the Hong Kong banking industry recognises 
the vital importance of protecting banks and their customers from cyber-attacks, 
and in upholding Hong Kong's position as a leading international financial 


centre. 


1 Ponemon Institute LLC (sponsored by Hewlett Packard Enterprise). "2017 Cost of Cyber Crime Study: Global". Publication date: October 
2017. Retrieved on 19 November 2018 from https://www.accenture.com/us-en/insight-cost-of-cybercrime-2017 

* Hong Kong Computer Emergency Response Team Coordination Centre (HKCERT). "Hong Kong Security Watch Report — 2018 Q3". 
Publication date: 31 October 2018. Retrieved on 19 November 2018 from https://www.hkcert.org/my_url/en/blog/18101501 

3 Research Office, Legislative Council Secretariat “Cybersecurity in Hong Kong” Publication date: 20 December 2017. Retrieved on 19 
November 2018 from https://www.legco.gov.hk/research-publications/english/17 18issh06-cyber-security-in-hong-kong-20171220-e.pdf 

4 Kaspersky Lab. "Kaspersky Security Bulletin 2015", p.51. Retrieved on 22 July 2016 from 
https://securelist.com/files/2015/12/Kaspersky-Security-Bulletin-2015 FINAL EN.pdf 

5 SCMP. "On the defence: Hong Kong Monetary Authority to boost cybersecurity for city's banking system". Publication date: 18 May 2016. 
Retrieve on 27 July 2016 from http://www.scmp.com/news/hong-kong/economy/article/1946686/defence-hong-kong-monetary-authority- 


boost-cybersecurity 








1.4 


1.5 


In order to further enhance the cyber resilience of the banking sector in Hong 
Kong, the Hong Kong Monetary Authority (““HKMA”) announced in May 2016 
the launch of the Cybersecurity Fortification Initiative (“CFI”) which includes 
introducing a common risk-based assessment framework for Hong Kong banks, 
a professional training and certification programme that aims to increase the 


supply of qualified professionals, and a cyber-intelligence sharing platform. 


In parallel with the CFI's professional training and development programme, 
the HKMA has developed a module on cybersecurity under the Enhanced 
Competency Framework (ECF) for banking practitioners. The goal is to 
introduce an industry-wide competency framework for the banking sector that 
enables talent development, and facilitates the building of professional 
competencies and capabilities of those working in cybersecurity. In view of the 
evolving cybersecurity risks, it is imperative that banks should start enhancing 
their cybersecurity cultures by equipping staff with the right skills, the right 
knowledge and the right behaviour. 


Objectives 


2.1 


2:2 


The ECF on Cybersecurity (hereinafter referred to as “ECF-C”) is a non- 
statutory framework which sets out the common core competences required of 
cybersecurity practitioners in the Hong Kong banking industry. The objectives 


of the ECF-C are twofold: 


(a) to develop a sustainable talent pool of cybersecurity practitioners for the 


workforce demand in this sector; and 


(b) to raise and maintain the professional competence of cybersecurity 


practitioners in the banking industry. 


Although the ECF-C is not a mandatory licensing regime, authorized 


institutions (“Als”) are encouraged to adopt the ECF-C. This includes: 


(a) to serve as a benchmark to determine the level of competence required 


and to assess the ongoing competence of individual employees; 


3. 


(b) to support relevant employees to attend training programmes and 


examinations that meet the ECF-C benchmark; 


(c) to support the continuing professional development of individual 


employees; and 


(d) to specify the ECF-C as one of the criteria for recruitment purposes. 


Scope of application 


3.1 


3.2 


3.3 


The ECF-C is aimed at persons (referred as ‘Relevant Practitioners’) 
engaged by Als undertaking cybersecurity roles. Under the ECF-C, a 


‘Relevant Practitioner’ is defined as: 


“a new entrant or an existing practitioner engaged by an authorized institution 


to perform in roles ensuring operational cyber resilience”. 


For avoidance of doubt, the following categories of staff are excluded from the 


definition of ‘Relevant Practitioners’: 


(a) Those who are not required to perform the three key roles specified 
under the ECF-C (i.e. IT Security Operations and Delivery, IT Risk 
Management and Control, and IT Audit); and 


(b) Those who perform key roles solely in the information technology 
operating function of an AI, such as system developers, system operators, 


helpdesk operators, and IT support. 


Als have the responsibility to ensure Relevant Practitioners performing duties 
in overseas branches and subsidiaries should be competent and have the 
capability as required under the ECF-C. However, we understand that the 
qualifications held by the staff outside Hong Kong may be different from the 
required qualifications set out in ECF-C. To allow flexibility to implement the 
ECF-C, Als may exercise sound judgment on evaluating if those staff in 


overseas branches and subsidiaries possess equivalent qualifications that are: 


(a) formally recognised by the list of certificates under ECF-C (see Section 
5.1); and/or 


(b) similar to the list of certificates under the ECF-C (see Section 5.1), in 
which the ‘similarity’ criterion should be determined based on the 


following three factors: 


i. recognition of the qualification by the local industry; 
ii. technical qualification of the certificates; and 


iii. ethical requirement of the qualification. 


4. Qualification structure 


4.1 


4.2 


4.3 


The qualification structure of the ECF-C comprises the following two levels 
based on the length of work experience of Relevant Practitioners in performing 


the tasks as specified in Annex 1: 


(a) Core Level - This level is applicable for entry-level staff with less than 


5 years of relevant work experience in the cybersecurity function. 


(b) Professional Level - This level is applicable for staff with 5 and above 


years of relevant work experience in the cybersecurity function. 


The qualification structure is driven by the key roles based upon the three lines 
of defence concept under cyber risk governance (hereinafter referred to as the 


“key roles”): 


(i) first line of defence: IT Security Operations and Delivery 
(ii) second line of defence: IT Risk Management and Control 


(iii) third line of defence: IT Audit 


Details of the roles and qualification requirements can be found in Annex 2. 


Relevant Practitioners are considered as qualified under the ECF-C if they are 


in possession of one or more of the certificates listed under the ECF-C (refer to 


Section 5.1). Relevant process flow is illustrated in Annex 3. 


4.4 


It is quite common for some smaller banks to have employees assuming 


multiple job roles. In such a situation, if the staff concerned takes charge of any 


cybersecurity roles in the three lines of defence, no matter in a part time or full 


time basis, he or she should be considered as a Relevant Practitioner. 


5. Recognised certificates 


Under the ECF-C, the list of recognised certificates is as follows: 















































First Line of | Second Line of | Third Line of 
Defence Defence Defence 
IT Security IT Risk 

RECOGNISED CERTIFICATES Operations Management IT Audit 

and Delivery and Control 

Core Level 
CSX Fundamentals Certificate J JV JV 
CSX Practitioner Certificate (CSX-P) V V V 
GIAC Information Security / / 
Professional (GIAC GISP) 
GIAC Security Essentials (GSEC) JV J V 
ISC? Systems Security Certified J 
Practitioner (SSCP) 
HKIB Associate Cybersecurity J / F 
Professional (ACsP) 

Professional Level 

CSX Specialist Certificate (CSX-S) V V J 
CSX Expert Certificate (CS X-E) J J J 
ISACA Certified Information 
Systems Auditor (CISA) v v v 
ISACA Certified Information 
Security Manager (CISM) y v v 
ISACA Certified in Risk and 
Information Systems Control J 
(CRISC) 
ISACA Certified in the Governance J 
of Enterprise IT (CGEIT) 
ISC? Certified Information Systems J J 7 
Security Professional (CISSP) 
ISC? Certified Cloud Security / / 
Professional (CCSP) 




















Training programmes and examinations 


6.1 Relevant Practitioners can meet the ECF-C certification requirements by 


obtaining the relevant qualifications. 


Continuing Professional Development (CPD) requirements 


7.1 The aim of the CPD arrangement is to ensure that Relevant Practitioners 
maintain their competency levels by updating their existing knowledge base 
and skill set, particularly in light of the constantly evolving cybersecurity 


regulatory environment and the fast-paced change in trends. 


7.2 Relevant Practitioners who have successfully obtained the qualifications listed 
under Section 5.1 should fulfil the CPD requirement of the relevant 
certification scheme. As a general guideline, Relevant Practitioners are 
expected to maintain a minimum of 20 CPD hours each year, and a minimum 


of 120 CPD hours over every 3 years period. 


Grandfathering 


8.1 Grandfathering arrangements are not applicable under the ECF-C. 


Maintenance of relevant records 


9.1 As a matter of good practice, AIs are encouraged to maintain up-to-date records 
on relevant practitioners within the organisation who meet the Core / 


Professional Level of qualification as set out in this guide. 


Annex 1 —Example of key tasks for roles under ECF-C 


I) Core Level 


Role 1: IT Security Operations and Delivery 




















Core Level 
Key tasks | Operational Tasks Technical Tasks 

1. Implement and enforce the 1. Monitor network traffic through 
bank’s IT security policies. implemented security tools to 

2. Responsible for the day-to-day proactively identify indicators of 
security operation of the bank compromise (e.g. Host based 
including access control IDS/IPS, network based IDS/IPS, 
configuration, reviewing firewall logs, application logs). 
program change requests, 2. Perform maintenance and operation 
reviewing IT incidents, security support for security devices such as 
reporting and etc. firewall, IPS / IDS, VPN, anti-virus 

3. Implement cybersecurity and encryption services. 
monitoring framework. 3. Participate in developing, tuning 

4. Collect data on cybersecurity- and implementing threat detection 
related risk, attacks, breaches and analytics. 
incidents, including external data 
and statistics as appropriate. 

5. Investigate security incidents by 
gathering evidence and 
reviewing system logs / audit 
trails. 

6. Provide operational support to 
systems and network teams 
regarding security related 
matters. 





Il) 


Key tasks 








Professional Level 


Role 1: IT Security Operations and Delivery 


Professional Level 


Operational Security Tasks 


1. 


Define cybersecurity 
requirements as a subset of 
general information security 
requirements. 

Implement cybersecurity control 
mechanisms which are consistent 
with the bank’s risk strategy. 
Implement general IT risk and 
control mechanism such as 
access controls, program change 
/ development controls and IT 
operations controls. 

Manage information systems 
security operations, including 
security operations performance. 
Define appropriate framework 
for cybersecurity monitoring 
(including monitoring 
requirements, indicators, 
datasets, collection and analytical 
methods). 

Analyse cybersecurity incidents 
and make recommendations on 
remediation actions. 

Implement corrective action 
plans to address process and 
control deficiencies identified by 
the second and third line of 
defence. 





Technical Tasks 


1. 


Plan and design security 
architectures and implement 
different security solutions to 
safeguard the bank’s network and 
systems. 

Research security standards, security 
systems and authentication protocols. 
Develop technical requirements and 
controls for network, system and data 
security. 

Provide technical guidance to the 
systems and network team regarding 
security configurations. 

Perform risk analyses on existing 
security infrastructure and implement 
security enhancements. 

Implement systems and procedures to 
enable digital forensics capabilities. 








I) Core Level 


Key tasks 








Role 2: IT Risk Management and Control 
Core Level 


Assist management in developing processes and controls to manage IT risks 
and control issues. 

Assist in communicating the risk management standards, policies and 
procedures to stakeholders. 

Apply processes to ensure that IT operational and control risks are at an 
acceptable level within the risk thresholds of the bank, by evaluating the 
adequacy of risk management controls. 

Analyse and report to management, and investigate any non-compliance of 
risk management policies and protocols. 


II) Professional Level 





Key tasks 








Role 2: IT Risk Management and Control 
Professional Level 


Design, develop and update IT risk management framework, policies and 
controls taking into consideration the bank’s strategy, current/future 
regulatory requirements and emerging risk scenarios. Communicate IT risk 
management standards, policies and procedures to stakeholders of bank. 
Assess the potential cybersecurity impact of emerging technologies and 
innovations, and include known risk and issues. 

Identify control weaknesses in cybersecurity from a risk-based perspective. 
Define monitoring requirements and indicators for measuring the higher 
level risk position. 

Monitor, review and update IT risk profile and controls on a regular basis. 
Ensure IT security/risk compliance within the AI. 
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I) Core Level 


Key tasks 








ChB WON 


Role 3: IT Audit 
Core Level 
Assist in the execution of audits in compliance with audit standards. 
Assist in the fieldwork and conducting tests. 
Assist in evaluating data collected from tests. 
Document the audit, test and assessment process and results. 
Ensure appropriate audit follow-up actions are carried out promptly. 


II) Professional Level 





Role 3: IT Audit 





Professional Level 





Key tasks 








Plan audits to assess the controls, reliability and integrity of IT environment 
and systems. 

Execute a risk-based audit strategy in compliance with auditing standards. 
Perform inherent risk and maturity level assessments. 

Assess the inherent risk and maturity assessment results and review 
improvement plans for identified gaps. 

Communicate audit and assessment results and recommendations to 
stakeholders. 

Evaluate IT plans, strategies, policies and procedures to ensure adequate 
management oversight. 

Assess the adequacy and effectiveness of controls on an ongoing basis. 
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Annex 2 -Key roles, qualifications and CPD requirements under ECF — C Competency 


Framework 


I) Core Level 














Role 1 Role 2 Role 3 
IT Security Operations| IT Risk Management IT Audit 
and Delivery and Control 
Core Level 


For entry-level staff with less than 5 years of relevant work experience in 


cybersecurity 





Role 
description 


Qualifications 
(certificates 
recognised) 


CPD 
requirements 








Apply daily 
administrative 
operational processes 


e CSX Fundamentals 
Certificate 

e CSX Practitioner 
Certificate (CSX-P) 

e GIAC Information 
Security Professional 
(GIAC GISP) 

e GIAC Security 
Essentials (GSEC) 

e ISC? Systems 
Security Certified 
Practitioner (SSCP) 

e HKIB Associate 
Cybersecurity 
Professional (ACsP) 


Minimum 20 CPD hours 
each year; and minimum 
120 CPD hours over 
every 3 years period 





Assist in development 
and communication of 
control processes 


e CSX Fundamentals 
Certificate 
CSX Practitioner 
Certificate (CSX-P) 
GIAC Information 
Security Professional 
(GIAC GISP) 
GIAC Security 
Essentials (GSEC) 
e HKIB Associate 
Cybersecurity 
Professional (ACsP) 


Minimum 20 CPD hours 
each year; and minimum 
120 CPD hours over 
every 3 years period 





Conduct and 
document audits 


e CSX 
Fundamentals 
Certificate 

e CSX Practitioner 
Certificate (CSX- 
P) 

e GIAC Security 
Essentials (GSEC) 


e HKIB Associate 
Cybersecurity 
Professional 
(ACsP) 


Minimum 20 CPD 
hours each year; and 
minimum 120 CPD 
hours over every 3 
years period 
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Il) 


Role 
description 


Qualifications 


(certificates 
recognised) 


CPD 
requirements 





Professional Level 











Role 1 Role 3 
IT Security Operations; IT Risk Management IT Audit 
and Delivery and Control 
Professional Level 
For staff with 5 and above years of relevant work experience in 
cybersecurity 
Manage information Manage IT risk Plan and execute 
systems security management and control | audit and assessments 
operations procedures and 
policies 
e CSX Specialist e CSX Specialist e CSX Specialist 


Certificate (CSX-S) 
e CSX Expert 
Certificate (CSX-E) 
ISACA Certified 
Information Systems 
Auditor (CISA) 
e ISACA Certified 
Information Security 
Manager (CISM) 
ISC? Certified 
Information Systems 
Security Professional 
(CISSP) 
ISC? Certified Cloud 
Security Professional 
(CCSP) 


Minimum 20 CPD hours 
each year; and minimum 
120 CPD hours over 
every 3 years period 





Certificate (CSX-S) 
e CSX Expert 
Certificate (CSX-E) 
ISACA Certified 


Information Systems 
Auditor (CISA) 


e ISACA Certified 
Information Security 
Manager (CISM) 


e ISACA Certified in 
Risk and Information 
Systems Control 
(CRISC) 


ISACA Certified in 
the Governance of 
Enterprise IT 
(CGEIT) 

ISC? Certified 
Information Systems 
Security Professional 
(CISSP) 

ISC? Certified Cloud 
Security Professional 
(CCSP) 


Minimum 20 CPD hours 
each year; and minimum 
120 CPD hours over 
every 3 years period 
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Certificate (CSX- 
S) 

e CSX Expert 
Certificate (CSX- 
E) 

e ISACA Certified 
Information 
Systems Auditor 
(CISA) 


e ISACA Certified 
Information 
Security Manager 
(CISM) 


e ISC? Certified 
Information 
Systems Security 
Professional 
(CISSP) 


Minimum 20 CPD 
hours each year; and 
minimum 120 CPD 
hours over every 3 
years period 





Annex 3 - Routes to certification 


ECF on Cybersecurity Core Level: 























*For Relevant Practitioners performing duties in overseas branches and subsidiaries, please refer to Section 
3.3. 


ECF on Cybersecurity Professional Level: 


Yes ! No 
j E 
| | No 














>_ 
< [= 


Yes 
Yes 
l 


eel 
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*For Relevant Practitioners performing duties in overseas branches and subsidiaries, please refer to Section 
3.3. 
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